Bug#930648: exim4-daemon-heavy: Weird leakage of unrelated data like /etc/aliases into /var/spool/exim4/input/*-H
Hi, short update: * Bjoern Buerger (b.buer...@pengutronix.de) [190625 12:08]: > * Andreas Metzler (ametz...@bebt.de) [190621 09:58]: > > On 2019-06-19 Bjoern Buerger wrote: > > > * Andreas Metzler (ametz...@bebt.de) [190618 19:15]: > > [...] > > > > Could you try > > > > a) disabling BDAT (set chunking_advertise_hosts = ) > > > > b) try a backport of sa-exim 4.2.1-17? > > > > > > See #879687. > > chunking_advertise_hosts is now disabled, > sa-exim is 4.2.1-17. We haven't seen any problem since upgrading to sa-exim 4.2.1-17 and disabling chunking_advertise_hosts. Cheers, Bjørn -- Pengutronix e.K. | Bjørn Bürger| Industrial Linux Solutions| https://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim | Phone: +49-5121-206917-5002 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- |
Bug#930648: exim4-daemon-heavy: Weird leakage of unrelated data like /etc/aliases into /var/spool/exim4/input/*-H
* Andreas Metzler (ametz...@bebt.de) [190621 09:58]: > On 2019-06-19 Bjoern Buerger wrote: > > * Andreas Metzler (ametz...@bebt.de) [190618 19:15]: > [...] > > > Could you try > > > a) disabling BDAT (set chunking_advertise_hosts = ) > > > b) try a backport of sa-exim 4.2.1-17? > > > > See #879687. > > > We could give it a try, but I don't see the point. > > Did you test it yet? We are testing it now. I wanted to check first, if this might be a onetime error. But yesterday it happened again. chunking_advertise_hosts is now disabled, sa-exim is 4.2.1-17. Now, we need to wait again. Last time it took ~7 days. Bjørn -- Pengutronix e.K. | Bjørn Bürger| Industrial Linux Solutions| https://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim | Phone: +49-5121-206917-5002 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- |
Bug#930648: exim4-daemon-heavy: Weird leakage of unrelated data like /etc/aliases into /var/spool/exim4/input/*-H
On 2019-06-19 Bjoern Buerger wrote: > * Andreas Metzler (ametz...@bebt.de) [190618 19:15]: [...] > > Could you try > > a) disabling BDAT (set chunking_advertise_hosts = ) > > b) try a backport of sa-exim 4.2.1-17? > > See #879687. > We could give it a try, but I don't see the point. Did you test it yet? > Judging from the #879687 description I find it hard > to believe that large chunks of local files like > /etc/aliases (~100 lines) would end up in spool files > due to this bug. But maybe I don't see the whole > picture yet? With BDAT some versions of sa-exim can misparse the spool-file and write back invalid data. cu Andreas
Bug#930648: exim4-daemon-heavy: Weird leakage of unrelated data like /etc/aliases into /var/spool/exim4/input/*-H
* Andreas Metzler (ametz...@bebt.de) [190618 19:15]: > On 2019-06-17 Bjoern Buerger wrote: > > Am Mon, 17 Jun 2019 schrieb Andreas Metzler: > [...] > > > what version did you upgrade from, the previous bpo-version (4.92-2) or > > > the original stretch release? > > > exim4-base:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) > > exim4-daemon-heavy:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) > > exim4:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) > [...] > > > Are you running sa-exim or something else that directly modifies the > > > spoolfiles outside exim? > > > sa-exim > > Could you try > a) disabling BDAT (set chunking_advertise_hosts = ) > b) try a backport of sa-exim 4.2.1-17? > > See #879687. We could give it a try, but I don't see the point. Judging from the #879687 description I find it hard to believe that large chunks of local files like /etc/aliases (~100 lines) would end up in spool files due to this bug. But maybe I don't see the whole picture yet? bbu -- Pengutronix e.K. | Bjørn Bürger| Industrial Linux Solutions| https://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim | Phone: +49-5121-206917-5002 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- |
Bug#930648: exim4-daemon-heavy: Weird leakage of unrelated data like /etc/aliases into /var/spool/exim4/input/*-H
On 2019-06-17 Bjoern Buerger wrote: > Am Mon, 17 Jun 2019 schrieb Andreas Metzler: [...] > > what version did you upgrade from, the previous bpo-version (4.92-2) or > > the original stretch release? > exim4-base:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) > exim4-daemon-heavy:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) > exim4:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) [...] > > Are you running sa-exim or something else that directly modifies the > > spoolfiles outside exim? > sa-exim Could you try a) disabling BDAT (set chunking_advertise_hosts = ) b) try a backport of sa-exim 4.2.1-17? See #879687. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#930648: exim4-daemon-heavy: Weird leakage of unrelated data like /etc/aliases into /var/spool/exim4/input/*-H
Am Mon, 17 Jun 2019 schrieb Andreas Metzler: > On 2019-06-17 Bjoern Buerger wrote: > > Package: exim4-daemon-heavy > > Version: 4.92-7 > > Severity: important > > [...] > > We did update to 4.92-7 from bpo before we saw the problem for > > the first time. > > what version did you upgrade from, the previous bpo-version (4.92-2) or > the original stretch release? exim4-base:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) exim4-daemon-heavy:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) exim4:i386 (4.89-2+deb9u4, 4.92-7~bpo9+1) > > 2019-06-13 17:55:22 1hbS4P-0004q8-LL <= linux-usb-ow...@vger.kernel.org \ > > H=vger.kernel.org [209.132.180.67] P=esmtp K S=9996 DKIM=linaro.org [...] > > > The first error message is logged with the same timestamp: > > > 2019-06-13 17:55:22 1hbS4P-0004q8-LL Format error in spool file > > 1hbS4P-0004q8-LL-H: size=9934 > > Are you running sa-exim or something else that directly modifies the > spoolfiles outside exim? sa-exim
Bug#930648: exim4-daemon-heavy: Weird leakage of unrelated data like /etc/aliases into /var/spool/exim4/input/*-H
On 2019-06-17 Bjoern Buerger wrote: > Package: exim4-daemon-heavy > Version: 4.92-7 > Severity: important [...] > We did update to 4.92-7 from bpo before we saw the problem for > the first time. Hello Bjoern, what version did you upgrade from, the previous bpo-version (4.92-2) or the original stretch release? [...] > 2019-06-13 17:55:22 1hbS4P-0004q8-LL <= linux-usb-ow...@vger.kernel.org \ > H=vger.kernel.org [209.132.180.67] P=esmtp K S=9996 DKIM=linaro.org [...] > The first error message is logged with the same timestamp: > 2019-06-13 17:55:22 1hbS4P-0004q8-LL Format error in spool file > 1hbS4P-0004q8-LL-H: size=9934 Are you running sa-exim or something else that directly modifies the spoolfiles outside exim? cu Andreas
Bug#930648: exim4-daemon-heavy: Weird leakage of unrelated data like /etc/aliases into /var/spool/exim4/input/*-H
Package: exim4-daemon-heavy Version: 4.92-7 Severity: important Dear Maintainer, The following is currently just an observation, as we haven't been able to reproduce the problem yet. It might be caused by faulty memory on the affected server but it could also be related to CVE-2019-10149 fixes, which where applied just before we saw the problem for the first time: Observations: * Four days ago, we recognized some frozen Mails in one of our exim4 mail queues with error messages like "spool format error: size=9934 ***" * While inspecting the Spool directories, we found unrelated data concatenated to all affected /var/spool/exim4/input/*-H files. Mostly parts of /etc/aliases (mostly chunks of ~100 lines, but from different locations in the file) * What led up to the situation? No idea. We did update to 4.92-7 from bpo before we saw the problem for the first time. The server had ~100 days of uptime and is processing a few thousand emails every day, but only a handfull seem to be affected by this. We haven't been able to reproduce the problem yet. We can see the incoming email in our logs Example: 2019-06-13 17:55:22 1hbS4P-0004q8-LL <= linux-usb-ow...@vger.kernel.org \ H=vger.kernel.org [209.132.180.67] P=esmtp K S=9996 DKIM=linaro.org [...] The first error message is logged with the same timestamp: 2019-06-13 17:55:22 1hbS4P-0004q8-LL Format error in spool file 1hbS4P-0004q8-LL-H: size=9934 If anyone has seen something like this before, I'd really appreceate a pointer to some more information :-) With kind regards, Bjørn *** End of the template - remove these template lines *** -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-0.bpo.4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)